Cloud networking is a path, not a label
Virtual networks, subnets, routing tables, security groups, network access lists, cloud firewalls, load balancers, private endpoints, and DNS all contribute to reachability. A private IP address does not automatically mean a service is inaccessible or properly isolated. Peering, routing hubs, VPNs, dedicated private connectivity, proxy services, shared DNS, and administrative paths can create additional routes. Reviews should follow the actual source, destination, identity, protocol, and return path.
Public endpoint review
| Endpoint question | Evidence to retain |
|---|---|
| Who can reach it? | Expected client networks, identity gates, load-balancer or firewall policy, and approved exceptions. |
| What does it expose? | Service purpose, ports or protocols, data classification, owner, authentication boundary, and health behavior. |
| How does traffic return? | Routes, NAT or proxy behavior, asymmetric-path risk, DNS resolution, and hybrid dependencies. |
| How is it observed? | Flow logs, firewall decisions, application logs, alerts, retention, and owners for review. |
Exposure review checklist
- Inventory public IPs, public load balancers, API gateways, object-storage sharing, administrative interfaces, and managed-service endpoints.
- Identify private service access paths, including private endpoints, service endpoints, transit hubs, peering, shared virtual networks, and hybrid routes.
- Review inbound policy and egress controls separately. Restricting inbound traffic does not establish that workloads cannot contact unapproved destinations.
- Check management access, database exposure, DNS dependencies, and security-group references that may be broader than an address range suggests.
- Include container or orchestration network controls at the level needed to show workload-to-workload paths and ownership.
Cloud flow validation workflow
- Define the expected client, service, protocol, identity control, and data classification.
- Trace forward and return routes across load balancers, NAT, routing hubs, firewalls, private links, and on-premises devices.
- Compare effective policy with intended policy. Document inherited or shared rules, not only the local rule set.
- Use approved test traffic and logs to validate the bounded path; do not infer every reachable path from one successful request.
- Record denied-path behavior, monitoring coverage, rollback conditions, and owners before a network change.
Fictional application path
A private application service accepts requests through an internal load balancer. A partner reaches it over a VPN, while a deployment system in another account uses a routing hub. Review shows that an overly broad security-group reference permits more internal sources than intended. The team narrows the reference, documents the partner path and DNS dependency, validates both return routes, and retains flow-log samples. The private address helped scope the design, but it was not proof of isolation.
Common mistakes
Common mistakes include opening a database for troubleshooting without an expiry, assuming NAT is an authorization boundary, ignoring egress, or failing to model asymmetric routing through a security device. Multi-region designs also need region-specific DNS, logging, and recovery checks rather than assuming a second region automatically provides the same control behavior.
Hybrid routing checklist
For hybrid connectivity, record each virtual network, on-premises prefix, routing hub, VPN or private circuit, DNS resolver, firewall point, and owner. Check route propagation and return-path expectations after any change, including failover paths. Shared services can be reached through more than one route, so document intended traffic and denied traffic separately. Reviewers should also identify which logs are collected on each side of the boundary and how they are correlated. This supports a bounded flow conclusion, not a complete reachability claim.
Related Vuln Signal content
Continue with Network Security Architecture, Firewall Policy Design Review, Cloud Security Architecture, DNS Lookup, TLS Certificate Checker, and DNS Investigation practice.